Add query parameter whitelisting

Author: Hans Kristian Flaatten

README.md

@@ -10,6 +10,7 @@ useful when building an API and accepting various user specificed queries.
 
 * Aliased query parameters
 * Blacklisted query parameters
+* Whitelisted query parameters
 * Basic operators
   * `$ne`
   * `$gt`
@@ -38,6 +39,7 @@ var MongoQS = require('mongo-querystring');
 * `Array` ops - list of supported operators
 * `object` alias - query param aliases
 * `object` blacklist - blacklisted query params
+* `object` whitelist - whitelisted query params
 * `object` custom - custom query params
 
 #### Bult in custom queries

src/index.litcoffee

@@ -6,6 +6,7 @@
       @ops = opts?.ops or ['!', '^', '$', '~', '>', '<']
       @alias = opts?.alias or {}
       @blacklist = opts?.blacklist or {}
+      @whitelist = opts?.whitelist or {}
       @custom = opts?.custom or {}
 
       for param, field of @custom
@@ -83,6 +84,7 @@ Main query param parser method which follows the following order of operations.
       res = {}
 
       for key, val of query
+        continue if Object.keys(@whitelist).length and not @whitelist[key]
         continue if @blacklist[key]
         continue if typeof val isnt 'string'
         continue if not /^[a-zæøå0-9-_.]+$/i.test key

test/suite.coffee

@@ -155,6 +155,15 @@ describe 'parse()', ->
       qs = new MongoQS blacklist: foo: true, bar: true
       assert.deepEqual qs.parse({foo: 'bar', bar: 'foo', baz: 'bax'}), baz: 'bax'
 
+  describe 'whitelisting', ->
+    it 'should allow key', ->
+      qs = new MongoQS whitelist: foo: true
+      assert.deepEqual qs.parse({foo: 'bar', bar: 'foo', baz: 'bax'}), foo: 'bar'
+
+    it 'should allow multiple keys', ->
+      qs = new MongoQS whitelist: foo: true, bar: true
+      assert.deepEqual qs.parse({foo: 'bar', bar: 'foo', baz: 'bax'}), foo: 'bar', bar: 'foo'
+
   describe 'custom', ->
     it 'should enable built in bbox handler', ->
       qs = new MongoQS custom: bbox: 'geojson'